El 23/10/17 a les 16:35, Arnt Gulbrandsen ha escrit: > Didier Kryn writes:
>> For me the things which need to be protected are
>>
>> 1) the data
>> 2) the OS, to avoid backdoors
>>
>> I can't see any need to protect a motherboard against booting from
>> a "foreign" disk.
>
> To access the data: Boot from foreign media, modify or replace the usual
> boot partition so it looks right until it asks for the disk encryption
> password, turn off the host, wait for the owner to turn it on and type
> in the password, done.
>
I don't know better secure boot than your own removable media: MBR and
whole /boot on an USB key, and full disk encryption.
If you really need that level of security, don't trust to any installed
boot (UEFI/GRUB/etc).
Mainboard support for UEFIs aren't capable to trust the boot so
transparently as FOSS does.